MobileIron Core 11.0.0.0 System Manager Guide| 92
intercepts and decrypts HTTPS network traffic and when it determines that the final destination is MobileIron Core,
it re-encrypts and forwards the traffic to Core. The devices that register to Core (using port 443) must send HTTPS
requests to the TFE rather than to MobileIron Core. Also, the TFE must be provisioned with digital certificates that
establish an identity chain of trust with a legitimate server verified by a trusted third-party certificate authority.
Note The Following:
l If you are using SAML to allow local administrator users to use single-sign on for the Admin Portal and self-
service user portal, after IDP authentication, the user is redirected to Core's URL, not the Trusted Front
End's URL. The Trusted Front End is only for communication with devices.
l If you are not using an Apache server for your Trusted Front End, work with MobileIron Professional
Services or a MobileIron certified partner to determine if you can set up this deployment.
Before you begin
Work with MobileIron Professional Services or a MobileIron certified partner to set up this deployment.
1. Enable mutual authentication for Apple and Android devices as described in "Mutual authentication
between devices and MobileIron Core" in the MobileIron Core Device Management Guide.
2. In your devices' sync policies in the Admin Portal, set Server IP/Host Name to your Trusted Front End.
This configuration makes devices send requests to the Trusted Front End instead of Core.
3. If you use an external host, which is configured in the Admin Portal, in Settings > General > Enterprise,
make sure your external host is configured to forward requests to the Trusted Front End. Changing the
external host requires a Core restart, which you can do in the System Manager, in Maintenance >
Reboot.
4. Set up your Trusted Front End to forward HTTPS requests from devices on port 443 to MobileIron Core.
Procedure
1. In Security > Advanced > Trusted Front End, select Enable TFE use for communication from
devices to MobileIron Core.
2. Click Apply.
3.
Click Download CA Certficates.
A file called tfe-ca-certs.zip downloads. It contains the certificates that establish an identity chain of trust
with a legitimate server verified by a trusted third-party certificate authority. These certificates allow the
Trusted Front End and Core to validate the identity certificate that the device presents.
4. Provision your Trusted Front End with the downloaded certificates.
5.
Your MobileIron contact has an example configuration file for Apache called ssl.conf. If you are using the
Apps@Work web clip for iOS devices, and you are using it on a port other than 7443, modify the value
7443 in ssl.conf.
If you are not using Apache as your Trusted Front End server, work with MobileIron Professional Services
or a MobileIron certified partner to determine if you can set up this deployment.
6. Install ssl.conf on your Trusted Front End.
Advanced: Trusted Front End